Vicsmall LogoVicsmall Logo
(0)Login
Vicsmall Logo
  1. Home
  3. Privacy Policy

DATA PROTECTION & DATA HANDLING POLICY

Effective: 2026

This Policy is issued pursuant to the Nigeria Data Protection Act 2023 (NDPA), the Nigeria Data Protection Regulation 2019 (NDPR), and the General Data Protection Regulation (EU) 2016/679 (GDPR) where applicable. It applies to all personal data processed by Vicsmall in the course of its operations.

1. SCOPE & APPLICATION

This Policy applies to:

  • All personal data of Users (Buyers and Vendors) collected through the Platform
  • Personal data of Vicsmall employees and contractors processed for employment purposes
  • Personal data processed by Vicsmall as a Data Processor on behalf of Vendor Data Controllers
  • Cross-border data transfers in connection with importation/wholesale activities

2. DATA GOVERNANCE STRUCTURE

2.1 Data Protection Officer (DPO)

Vicsmall has appointed a Data Protection Officer responsible for overseeing compliance with this Policy, the NDPA, and all applicable data protection legislation. The DPO reports directly to senior management and may be contacted at dpo@vicsmall.com.

2.2 Data Controller vs Data Processor

Vicsmall acts as Data Controller in respect of data it collects from platform Users. Where Vicsmall processes data on behalf of Vendors (e.g., storing Vendor customer lists for order management purposes), it acts as a Data Processor and will enter into a Data Processing Agreement (DPA) with each such Vendor.

3. DATA CLASSIFICATION

ClassificationExamplesHandling Standard
PublicProduct listings, public reviewsNo special handling required
InternalAnalytics, platform logsAccess restricted to authorised staff
ConfidentialUser profiles, transaction historyEncrypted at rest and in transit; access-logged
Highly ConfidentialBVN, bank details, KYC documents, health/biometric dataStrongest encryption; need-to-know basis only; DPA oversight

4. DATA COLLECTION PRINCIPLES

All personal data collected by Vicsmall must satisfy the following principles (Section 24, NDPA 2023):

  • Lawfulness, fairness and transparency: data is processed on a lawful basis and in a manner transparent to the data subject
  • Purpose limitation: data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes
  • Data minimisation: only data that is adequate, relevant, and limited to what is necessary is collected
  • Accuracy: reasonable steps are taken to ensure data is accurate and kept up to date
  • Storage limitation: data is not retained longer than necessary
  • Integrity and confidentiality: appropriate security measures are maintained
  • Accountability: Vicsmall maintains records of processing activities and demonstrates compliance

5. DATA PROCESSING REGISTER

Vicsmall maintains a Register of Processing Activities (ROPA) documenting all categories of personal data processed, the purposes of processing, data recipients, retention periods, and security measures. The ROPA is reviewed and updated at least annually by the DPO, and is available to the NDPC upon request.

6. DATA SUBJECT REQUEST PROCEDURE

Requests to exercise data subject rights are handled as follows:

  1. Submit request by email to privacy@vicsmall.com with proof of identity
  2. Vicsmall acknowledges receipt within 5 business days
  3. Vicsmall responds substantively within 30 days (extendable by a further 60 days for complex requests, with notice to the requestor)
  4. Requests that are manifestly unfounded or excessive may be declined or charged a reasonable fee, with written reasons provided
  5. Refusals may be appealed to the NDPC

7. DATA BREACH MANAGEMENT

Vicsmall maintains a Data Breach Response Plan. Upon becoming aware of a breach:

  1. Immediate containment measures are activated within 1 hour of discovery
  2. Internal escalation to the DPO and senior management within 2 hours
  3. Assessment of risk to affected data subjects within 12 hours
  4. Notification to the NDPC within 72 hours of becoming aware of the breach (where the breach is likely to result in a risk to data subjects' rights)
  5. Notification to affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms
  6. Full incident report documented within 7 days

8. DATA PROCESSING AGREEMENTS (DPAs)

Where Vicsmall engages third-party processors (e.g., cloud hosting providers, analytics firms, payment processors), a written DPA is executed prior to any processing, incorporating: the subject matter and duration of processing; the nature and purpose of processing; the type of personal data; the categories of data subjects; and the obligations and rights of the Data Controller — all as required by Schedule 2 of the NDPA 2023.

9. TRAINING & AWARENESS

All Vicsmall staff and contractors with access to personal data undergo mandatory data protection training upon onboarding and at least annually thereafter. Non-compliance with this Policy may result in disciplinary action.

10. POLICY REVIEW

This Policy is reviewed by the DPO at least annually or following any material change in applicable legislation, regulatory guidance, or Vicsmall's processing activities.

Quick Links

  • Home
  • Shop
  • Featured Products
  • Big Deals
  • Flash Sales
  • About Us
  • Contact Us
  • Help Centre
  • Become a Vendor

Policies

  • Privacy Policy
  • Terms and Conditions
  • Refund and Return Policy
  • Vendor Terms and Agreement
  • Part Payment Terms and Conditions
  • Wholesale

Customer Support

  • +234 815 697 0380
  • customerqueries@vicsmall.com

Stay in the Loop!

Join our list for exclusive deals, new arrivals, and members-only offers.

© 2026 Vicsmall. All rights reserved.
Home
Reels
Categories
Cart
Account